We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Two recent data breach incidents in the healthcare industry prove what readers of this blog have heard all too often: KNOW THY VENDORS.

Last week, Phoenix-based Banner Health reported one of the year’s largest data breaches. Banner reported that it had suffered a massive cyberattack potentially affecting the information of 3.7 million patients, health plan members and beneficiaries, providers. This attack is notable for all companies and not just healthcare providers covered by HIPAA. Reportedly, the attack occurred through the computer systems that process food and beverage purchases in the Banner system. In the incident, according to reports, the hackers gained access to the larger systems through the point-of-sale computer system that processes food and beverage purchases. The attack was discovered on July 13, and Banner believes hackers originally gained access on June 17.

Many companies — particularly hospitals — have only a perimeter firewall to provide protection for access into and out of the core network. It is less common for companies to have multiple layers of security protecting individual systems operating “inside the firewall”. Readers will recall the main route for the Target hackers into the system was through a small vendor. The “kill chain” analysis in the Target matter is still highly recommended reading to learn about this topic. At Banner, once the hacker was into the food and beverage system (maintained by a separate vendor), the gate was opened to the entire system’s network. This is yet another example of the importance of data mapping and systems mapping to locate, identify and protect the core systems where protected health information (or other critical information) is stored. This exercise will add visibility into those devices not necessarily controlled by the institution and applying further controls to them. Flat networks and broad access can easily allow the bad guys to roam freely once in the door.

Example #2 is an attack reported on a NewKirk Products, a vendor providing identification cards for insurance plans. On July 6, NewKirk reportedly discovered that a server containing broad categories of PII of 3.3 million members of insurance plans was accessed without authorization.

If your business has not undertaken a comprehensive review of the third-party vendors that have access to your network, a starting place is a review of our webinar on third-party risk and risk assessments. Listen here.

Compare jurisdictions: BYOD: Bring Your Own Device

“I find the newsfeeds to be extremely helpful and relevant to my practice area and to the issues facing my company. As I am extremely happy with the newsfeed (it is one of the best I receive) I have no suggestions at this time for improvement.”